Posted
by
msmash
on Tuesday March 15, 2016 @02:16PM
from the not-sure-if-care-or-marketing-tactics dept.

Reader v3rgEz writes: International customers are becoming increasingly concerned about the U.S.'s data snooping practices, and it appears Microsoft has devised a solution to make them happy: Set up Azure cloud in a foreign region. Because it's under the technical ownership of a German company named Deutsche Telekom, even Microsoft doesn't have access to the data. The move is not surprising, but it could set a precedent that encourages others to move their corporate data away from U.S. shores to countries that take a friendlier view of encryption and data privacy. From the official blog post, "Microsoft has -- in this new model -- no rights at all to access customer data. Only for special purpose like a support call from a customer a temporary access will be granted by the Data Trustee to the Microsoft engineer, and only for the specified area. After that time (using a technology similar to what you might know as JIT) all access is revoked automatically. So to repeat: Access is granted to the Microsoft engineer only by the Data Trustee. Microsoft has no way to grant that access to itself."

What happens when Microsoft, operating under a secret NSA Security Letter, intentionally induces a fault in the Azure Cloud service of an individual of interest. And then of course the Data Trustee gives the Microsoft engineer access to the customer's data. If the NSA knows what they want, the access would not have to be for an extended period of time.No, this won't work for mass surveillance or even continuous surveillance of one individual. But it is not data security of the type implied by the announ

Or they could just barter intelligence deals with German intelligence to have *them* hand over the information directly.

These are government intelligence agencies here. The NSA certainly could social engineer themselves the information, or induce faults on a case by case basis, but why do that when you can just cut a deal or two? The NSA has so much juicy information that German intelligence would be happy to trade for.

Sorry, what? German intelligence would never do that? Yes... sorry... I'm not laughing, that's just a lot of coughing. That's the ticket.

Well, Deutche Telekom is (or was) the German State telephone company, kind of like the Post Office in Britain, owned and operated by the government. They have many subsidiary companies, in the U.S. we know them as T-Mobile and T-Systems.

So, they are one step closer to ease of mass surveillance than we are in the US, in that the "cloud" data or whatever is _already_ in the German Gov't.'s hands, basically.

and serve Microsoft in the same writ. I think this sort of hocus-pocus would only work in places where there is minimal infrastructure and no treaties with the US. like, say North Korea. places where you KNOW your data is being analyzed, mangled, and monetized.

so the ultimate responsibility has to be the Congress formally recognizing the first amendment still applies to technology that didn't exist at the time they were sharpening their goose quills to write the document.

"Was". It was privatized a long time ago. So there is no direct control of the Deutsche Telekom by the German government.

Of, course, when the German government asks Deutsche Telekom for a "favor", they are not going to say no. Especially if there are some laws backing the government up. There's another set of secret squirrels in Germany called "Verfassungsschutz", which means something like "protection of the constitution". They have broad powers for snooping on folks that are deemed enemies of the state.

tnk1, I'm inclined to think that the worm has turned in Germany. Exposure of spying by the US on the Chancellor and other high government officials has poisoned the well. It would be a political death sentence for any politician or government employee who was caught helping the US spy on Germans.

Deutsche Telekom runs one of the biggest ISPs in Germany: T-Online. Part of their RADIUS platform is a component called "LI" . . . "Lawful Interception". The spooks can directly access this, without any assistance from the T-Online operator. And, in fact, LI even hides and obfuscates the taps that are in place. So if a drug cartel smuggled in a rogue T-Online operator, this person would not be able to tell the drug cartel that they were being spied on. The other ISPs in Germany probably do the same th

That's not what this move is about. It's about information that can be legally introduced into an U.S. court. Now the U.S. state attorney has to jump through the loop and actually ask a german court to force Deutsche Telekom to release the information requested, which until now they tried to avoid as much as possible. Especially in cases where the U.S. sentencing laws are considered draconic in Germany, this request might be denied on legal grounds. If for instance an U.S. state attorney would put pressure

The NSA doesn't need this, any more than they need a National Security Letter to access US data, as long as it's not encrypted well. When I worked at MS, we would half-joking blame (assumed) NSA taps on the low quality we'd see in WAN connections between DCs. It was a bit of a shock to discover from Snowden it was all true (MONKEY PUZZLE was the codename for those NSA taps, IIRC).

It's different if the data is encrypted in such a way that MS only has access to the metadata (which should be enough for custo

You know, that was my knee-jerk reaction too - right up until I pondered . . .

Think about it - in one shot, Microsoft gains something to offer both commercial and (paying) consumer customers - the expectation that encrypted data will remain private -- while simultaneously leaving Apple twisting in the wind in this whole US Gubberment vs. Everyman BS that's playing itself out right now in our "Judicial" system.

Big bucks triumphs over Big Brother. The Ferengi are right - greed is eternal.

This may seem like a distinctly American problem, but it is global. Every government; from the direst dictatorships to the most liberal democracies, wants their own version of the "Snooper's Charter", and wants to crush anyone who dares question their unlimited right to spy on their own citizens 24/7. This is a theory of government that is unconstrained by any notion of civil liberty, responsible or constrained government power.

The world is run by sociopathic monsters with a pack of braindead retarded legislators who gave up actually governing years ago.

I'd actually like for Microsoft to have the same onus in the USA. Don't touch stuff only and unless you get a secondary auth key from a trustee of the account's data, verified by both sets of credentials, and then only for the session or four hours, which ever is less. A reauth would be needed if they can't fix something within the four hours. The key has to be a healthy, domain curated hefty key. Then: goodbye.

JIT is a common terminology for many things. Just In Time Access, Just In Time Manufacturing, Just in Time Production and numerous others. Just in computing the most common one is just in time compilers.

The term JIT predates compilers and goes back to automobile manufacturing practices where companies would minimise excess stock by optimizing manufacture workflow so that parts come online just as they are needed.

The only way they could not possibly access the data was if they did not develop the software and consequently could not use their update mechanisms, back doors and other established methods to gain access when so requested. So is the author trying to tell us Microsoft is no longer the software developing company behind Azure and Windows?

Now of course if you own the box via it's operating system, that sends data to the cloud and gets data from the cloud. What is to stop that box sending a copy elsewhere at the same time an unencrypted copy. M$ is screwed people that wont touch their OS won't touch their cloud either. Their prying ways with the backing of the US government has put them in a pickle, no one trusts them any more with any thing. For games meh, who cares for real world secure applications, you'd need to have your head read.

While I agree that it's best to keep data out of the US, it's hardly the only country on the list. What really matters though is keeping the data outside the jurisdiction that the company and customer are based in. Make sure that it requires an international effort to get the data, which is encrypted with a key in another jurisdiction anyway.

The goal is to increase the cost in both time and money, to discourage fishing trips and laziness. If it's hard to do, law enforcement will only bother if it's really w

After betraying their customers for years by doing stupid shit like uploading their encryption keys to OneDrive by default, Microsoft wants to jump in on the fame and honor that Apple is getting for refusing to make malware in order to unlock a terrorist's iPhone. Hurray, off-shore data lodging! Ultimately though this'll mean nothing but a teeny bit more latency for PRISM, which Microsoft has oh-so-willingly cooperated with the NSA to power for years.

After betraying their customers for years by doing stupid shit like uploading their encryption keys to OneDrive by default, Microsoft wants to jump in on the fame and honor that Apple is getting for refusing to make malware in order to unlock a terrorist's iPhone. Hurray, off-shore data lodging! Ultimately though this'll mean nothing but a teeny bit more latency for PRISM, which Microsoft has oh-so-willingly cooperated with the NSA to power for years.

Basically, Microsoft has been fighting this case for years now. If the US wins, then it can mandate that Microsoft must turn over data anywhere in the world with just a warrant. That doesn't pass muster with EU laws. So, if the US wins, then all of a sudden it becomes illegal for an EU business to use any Microsoft cloud service, or at least extremely risky for them to do so.

This new service is something where they can tell the US government, "We phisically can't do that." Just like how Apple will probably push out an IOS upgrade that prevents flashing new firmware to a phone while locked without wiping the device.

US Government: "We will fine you until you comply with the order giving us access to the servers."
Microsoft:"Those aren't our servers. We don't have access."
Government: "Comply or be fined a million dollars a day."
Microsoft files bankruptcy in AD 3276.

MS and other companies have no objection to proper court orders in the appropriate country following due process. This move is due to the US governments unwillingness to follow due process and demand access to servers and data residing in foreign countries without going through the legal processes of that country. So going to German court and arguing the case for access they will be fine with, but of course that will be issued against Deutch Telkom not MS

The point is to put the servers under the control of the government which is deemed more trustworthy by the customers. And it doesn't even have to be all or most customers - just a subset. Say, those in EU.

Hopefully, there will be more similar centers opening in other countries in the future, so that customers can actually shop around, and pick the country with surveillance laws and/or track record that they're most comfortable with.

Comes down to can Microsoft be trusted and that answer we all know is a flat out No. Forcing people to download adware to get a security patch is flat out evil and all the tricks they have been using to get people to switch to Windows 10 is also evil. So Microsoft is a 100% untrustable and evil IMO based on those facts.

I would say the most annoying part about the Win 10 upgrade notifications is that I ran the compatibility test and failed but does that mean I stop getting the upgrade notifications and Win 10 ads... NO!

Like most things this I'm guessing this comes down to money (not that that's always a bad thing).

In many market segments (think government, healthcare) data residency requirements are build into any contracts. Having a European data center likely allows them to big and win business in these markets.

While your point is accurate, the Feds often don't want to do what the foreign agencies require in order to get the exchange. So it's not pointless. And there are legal liability issues, so again it's not pointless.

Now if what you mean is that the customer's data isn't being protected anyway, you're probably right. But that's not what you said.

Microsoft Windows 10 monitors the user in my opinion more than any exploration of the world, I really understand those users who are concerned about their safety and privacy, I think this is only the beginning, many companies are engaged in the surveillance of Internet users it is only necessary to look deeper at the problem of personal data

No, it would be different: NSA to Microsoft: Hand over the code and release this fix so we can backdoor account X. And the next update the account can be compromised. This update will only spread to updates for server Y which holds account X.

Microsoft's betting on Azure being the next IBM mainframe-style lock in device for IT. It seems to me like their goal is to get IT people thinking in Azure terms whenever they design anything, such that it becomes one of only a couple of ways to get anything deployed. Look at Windows Server 2016 and the upcoming Azure Stack -- Microsoft is basically telegraphing that the days of an on-site server not controlled by the Azure resource manager are on the way out. I'm betting Server 2016 is one of the last "monolithic" server releases, and the rest is going to be an Azure-y collection of services that you turn on and off either in the cloud or in your own datacenter.

Given that, and given Germany's privacy laws, it makes perfect sense that they would essentially build a "Public Azure Stack" to work around that detail. Whether every single company decides they're not afraid of the public cloud or not is in question, but Microsoft's looking to control that conversation and slowly bring everyone into the ongoing monthly charges model. Makes sense too -- either collect one fee for Windows Server one time, or sell it over and over again in monthly installments forever -- the choice seems obvious!

They did a similar setup in China, but for a different reason. The Chinese government wanted one of their service providers to have access to everything. Same separation of ownership, completely different outcome.

Who really thinks that the Germans are more friendly about privacy and encryption? European laws might grant individuals some recourse about the use of data by corporations, but don't count on corresponding constraints on government. The difference between what ends up in German vs American government hands has more to do with how developed their snooping infrastructure is, not on whether the legal environment is more "friendly"

Set up Azure cloud in a foreign region. Because it's under the technical ownership of a German company named Deutsche Telekom, even Microsoft doesn't have access to the data

Deutsche Telekom is roughly the German equivalent of AT&T: a former government-sponsored monopoly. It is in bed with the German government; they are actually still 30% government owned. You can bet that if you put your data on that cloud, the German government, intelligence agencies, and police are going to get full access to it.

OK, I am an American admin heading over to Germany for a security audit, code update, bug tracking, etc. (at the airport 8 thugs in cheap suits hand me a security letter from the DOJ saying that if I don't comply I go to jail. If I tell anyone about the security letter, I go to jail. If I call a lawyer they haven't approved, I go to jail. But at the same time they tell me that they are trying to stop very very bad people and that it would improve my job prospects with future applications to various securit